Mitre Corp. has published a study entitled Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense. The study was commissioned by the U.S. government, according to The Register (see first reference, below).

The full 160-page MITRE paper is available for free download here (4MB PDF download). [Don't worry — only the first 26 pages are the actual discussion; the balance consists of appendices.]

Here are three interesting articles about the MITRE FOSS study which summarize its contents, findings, and recommendations . . .

Open Source is good for America — US military advised [The Register] — A report commissioned by the US military concludes that open source and free software should play a greater part in the infrastructure of the world's remaining superpower . . . Mitre Corporation's 152-page study addresses the extent of software libre, or FOSS-licensed software use – FOSS being “Free and Open Source Software”, an acronym uncomfortably evocative to this author of dental hygiene — in various branches of the military . . . It's all over the place already, conclude the authors, and there should be more of it . . .”

Group advises open source for Defense [ZDNet] — “Mitre, a not-for-profit engineering and IT organization that works with the US federal government, has recommended that the US Department of Defense take steps to encourage open-source software in the department's infrastructure . . . Software distributed under open-source licenses can be freely modified and redistributed, as long as the modifications are returned to the community. This autonomy from the software vendor is useful for the Defense Department because it speeds the process of responding to threats, but it also creates ambiguities, Mitre said . . .”

Defense Contractor Says Open-Source Software Is Good For Military [TechWeb] — “Free and open-source software is in widespread use in the U.S. Department of Defense, and is important to defending against cyber attacks, says a report by defense contractor Mitre Corp . . . The report comes about a week after three members of the House of Representatives attacked open source . . . Reps. Adam Smith (D-Wash.), Ron Kind (D-Wisc.), and Jim Davis (D-Fla.) sent a letter to 74 Democrats in Congress attacking Linux's GNU General Public License (GPL) as a threat to American 'innovation and security.' . . . But Mitre takes a different view. Compared with proprietary software, the report says, free and open-source software provides additional flexibility, autonomy, and the ability to respond faster to attacks . . .”

Excerpts from the MITRE FOSS report

Here is an excerpt from the introduction . . .

. . . The goals of the MITRE study were to develop as complete a listing of FOSS applications used in the DoD as possible, and to collect representative examples of how those applications are being used. Over a two-week period the survey identified a total of 115 FOSS applications and 251 examples of their use.

To help analyze the resulting data, the hypothetical question was posed of what would happen if FOSS software were banned in the DoD. Surprisingly, over the course of the analysis it was discovered that this hypothetical question has a real-world analog in the form of proprietary licenses that if widely used would effectively ban most forms of FOSS. For the purpose of the analysis, the effects of the hypothetical ban were evaluated based on how FOSS is currently being used in survey examples. In the case of niche-dominating FOSS products such as Sendmail (ubiquitous for Internet email) and GCC (a similarly ubiquitous compiler), a large amplification factor must also be taken into account when estimating such impacts. The actual levels of DoD use of such ubiquitous applications is likely to be hundreds, thousands, or even tens of thousands of time larger than the number of examples identified in the brief survey.

The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to and overall expertise in the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks . . .

And from the conclusion . . .

Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use. MITRE therefore recommends that the DoD take three policy-level actions to help promote optimum DoD use of FOSS: